Solved

MS ISA  vs.  Esoft's Instagate EX2  or others

Posted on 2002-04-17
12
416 Views
Last Modified: 2013-11-16
We have about fourty users here and at the moment are only using a DSL router and NAT for protection. We have finaly talked the partners into getting a decent firewall. One of our consultants says MS ISA is the way to go. Another says his company has had nothing but trouble with MS ISA and they switched to Esoft's Instagate EX2 and they love it. Easy to setup and manage.

Does anyone have an opinion on this or a suggestion on a better firewall?

We are running W2K Servers, Exchange 5.5 (soon to be exchange 2000), DSL for internet access.

Our wants are to have the most secure firewall we can get for under $2500 - $3000. We would like to be able to block just a few specific sites.

Thanks for your advice in advance,
Rodney
0
Comment
Question by:rodney777
12 Comments
 
LVL 5

Accepted Solution

by:
Mishou earned 100 total points
Comment Utility
Rodney,

MS ISA is good too. However you will still be vulnerable to OS problems. That's the reason that I would recomend an apliance.

For that amount of moneys you can have a firewall apliance .Something like Netscreen 5 ,WatchGuard(with a plug in for webfilter).

Or if you want something based on Linux with a nice interface try Astaro (www.astaro.com) that have web proxy included and VPN capabilities (like the other two mentioned above).


Mishou


0
 
LVL 14

Expert Comment

by:chris_calabrese
Comment Utility
I'd second the Netscreen's.  They're cheap, fast, easy to manage, and just plain work great.  You might also check out the new CheckPoint SofaWare boxes, or, depending on how small your network is, even something like an SMC Baricade.  All of these are in the sub $1000 range.

HOWEVER, this all depends on what kind of "extras" you want, like the ability to plut-in things like anti-virus scanning, content filtering, easy creatin of DMZ's, and secure connectivity for remote users.

For these things, look at the slightly higher end Netscreens, the low-end Cisco PIXes, and the Intrusion Inc. CheckPoint boxes.

MS ISA server does have these things, but as Mishou pointed out, do you really want to have the only protection of your network be a Windows box?
0
 
LVL 24

Expert Comment

by:SunBow
Comment Utility
ditto above
ISA is too primitive, not easy to understand, built too cheap, but what do you expect from a SW company?

I dunno on Esoft's Instagate EX2, but see no reason to contradict your source.

Rule of thumb is firewall s/b hardware, and windows is vulnerabale, so get that OS behind as many real protections as you can.

Linux is quite common, for going on the cheap.
0
 
LVL 3

Expert Comment

by:erikdr
Comment Utility
ISA is not bad but SEVERELY limited in more complicated setups. Main hindrance is that they do not support full DeMilitarisedZone handling - filtering can only be put completely on one of the two NIC borders and not on the other. Most competitors, e.g. Checkpoint, CA and Cisco, handle this a lot better - so I suppose ESoft would do as well.

Hope this helps,

<Erik> - The Netherlands
0
 
LVL 3

Expert Comment

by:FlamingSword
Comment Utility
agreed, better to do better
While you await, train staff to quit running EM/'net worms like Klez. Firewalls do not stop the humans
0
 
LVL 3

Expert Comment

by:FlamingSword
Comment Utility
ref: http://www.computerworld.com/storyba/0,4125,NAV47_STO70290,00.html
"New variant of Klez worm detected By JAIKUMAR VIJAYAN (April 18, 2002)
A new variant of a worm that takes advantage of vulnerabilities in unpatched Internet Explorer and Outlook Express software from Microsoft Corp. is spreading in the wild, antivirus vendors warned. "
0
Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

 

Author Comment

by:rodney777
Comment Utility
Thanks for the info everyone.
We were looking at Watchguard's boxes last year and decided on that but now there seem to be more options and we are just trying to make sure we dont miss something.
I'm looking into checkpoint and netscreen to see how they compare to Esoft's Instagate EX2.
0
 
LVL 5

Expert Comment

by:BlackDiamond
Comment Utility
Another vote for Netscreen here.  My organization runs over 200 appliance firewalls, a combination of Checkpoint, PIX, and Netscreen.  The Netscreens are by far the nicest of the bunch.

If you're getting by with a DSL router right now, then I would say a Netscreen 10 would do just fine (would actually be a much higher performance firewall). You can pick one up for around $1300.
0
 
LVL 16

Expert Comment

by:The--Captain
Comment Utility
I vote for Astaro (www.astaro.com) - someone mentioned this was linux - true enough, but you'd never know it looking at the interface.  It seems to have all the functionality of every appliance I've seen, and is infinitely extensible if you know something about linux.  I can give you the name of a company that will sell you an astaro "appliance" as a drop-in solution, if you so desire.

While security through obscurity may not be a great idea, security through diversity is not such a bad thing (although it is arguably a subset of security through obscurity).  For that reason alone, stay away from MS products when choosing your firewall.

-Jon

0
 
LVL 13

Expert Comment

by:hstiles
Comment Utility
My vote is for the Watchguard Fireboxes.  They're easy/intuitive to use, fast, reliable, powerful and they have a lot of good features, such as VPN support built (l2tp from firebox, pptp from a standard Windows machine and upgradeable to l2tp from a client if you use their VPN client which isn't expensive).

They also feature NT authentication, which although not perfect is better than a lot of other products.  The HTTP Proxy (inc. Web Blocker), FTP PRoxy and SMTP Proxy are handy too).
0
 
LVL 24

Expert Comment

by:SunBow
Comment Utility
Another vote on ISA.
A company called Microsoft tried it, and chose an alternative vendor instead.

Case closed. Between the two, one of them is an obvious loser.
0
 
LVL 5

Expert Comment

by:zenlion420
Comment Utility
Hey people,

No comment has been added in roughly 1 year, so it's time to clean up this TA.
I will leave a recommendation in the Cleanup topic area that this question
be PAQ'd and pts be awarded to Mishou.
Please leave any comments here within the next seven days.

PLEASE DO NOT ACCEPT THIS COMMENT AS AN ANSWER!

Zenlion420
EE Page Editor
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

This story has been written with permission from the scammed victim, a valued client of mine – identity protected by request.
Password hashing is better than message digests or encryption, and you should be using it instead of message digests or encryption.  Find out why and how in this article, which supplements the original article on PHP Client Registration, Login, Logo…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now